Transcription
Joni’s intro
I’m thrilled to work in digital identity innovation! A lot of my work is just connecting very talented and brilliant people to do what they do, in a more organized way. That way, we can move forward on the common challenges and the common opportunities, and then compete in those places where organizations have some differentiators. It’s a real thrill to be here, thanks so much for the invitation.
When you talk about the membership growing, it’s something extremely special, to come to a place in an organization that has so much potential, and where people are so passionate. It was a fantastic opportunity to help direct that energy. We wouldn’t have been able to achieve this growth if we didn’t have the passion, the energy, and the expertise. We often look outward, so we can learn what’s happening externally and pull that information in. But sometimes, we tend to lose sight of all the things that we are great at, and that we’re moving forward at the same time. We’re working towards striking that healthy balance. There’s a ton of opportunity here in Canada and I’m thrilled to be a part of it.
Why Northern Block got into Self-Sovereign Identity
As an organization, Northern Block had begun our interest in digital identity a few years ago. Many of these decentralized, blockchain-based, distributed architecture solutions that we were building were great. But they all had a bottleneck. We weren’t able to properly manage identity and credentials and compliance, without doing it in a centralized way. That detracted from the vision that we had with many of our clients’ projects, so we’ve always been interested in the space. We’ve gone a lot deeper into centralized identity over the past little while, but my feeling is that the centralized identity is merely one subset of the larger concept of digital identity.
Digital Identity 101
Mathieu: As someone who’s been deep in the digital identity space for quite some years now, how would you explain digital identity to someone new that’s just trying to get into the space or learn about it?
Joni: It is fascinating! In some ways, I think that blockchain happened to us in the identity space. The decentralized model intersected us, so it’s been really fascinating to see.
Stepping back to that question of “How would I describe identity?”
I would describe identity as a collection of data and attributes that describe you. If you think about it as almost like a “bag of data” or “bag of attributes”; these are the things that describe you and who you are. Some of those pieces of information are going to be things that you put forward yourself, and other pieces of information are going to be things that others are confirming or validating about you. So effectively, it’s that total collection that makes up the foundation of identity. Some of those pieces of data are more authoritative or more legally binding, while others are less so.
Then, if we think about our identity, we can also think about something called “personas”, or the way that we present ourselves to the world. I may have one, or more. That is, I have a single identity for who I am, but the persona that I put forward from a career or work perspective may have a certain shape and size. The persona that I put forward in my personal life may have a different kind of shape and perspective. So the weight of importance of that data is very contextually based.
I think that it can be considered as the total of that data about you, how it’s organized, and how it’s presented.
Mathieu: I guess you gave an example of self-attested information, or something you say about yourself. But what would be a legally binding piece of identity data? Where would that come from?
Joni: It would be the legally binding identity data from the digital perspective. We have lots of legally binding identity data today, it’s just not always in digital format. For example, a birth certificate is a legally binding piece of data about you; or for another example, a driver’s license is a credential to drive that includes legally binding information. Often, the information may be about you: your date of birth, or maybe certain characteristics about you that are captured in that driving credential. When identity information is also legally binding, it’s what we call in Canada “foundational”. So, a birth certificate is foundational; also, a permanent resident card is a foundational piece of evidence about you — about who you are, that legally instantiates your identity.
Now, these aren’t fully digital yet, so that’s something that we’re working on. But there could be other legally binding attributes that are assigned to you, such as: Are you a certified physician? Or, are you an active lawyer? Different kinds of professional certifications and accreditations can also be legally binding in terms of your liability concerning contracts that you’re involved in. I believe that the legally binding space on identity and data is something that needs to be worked on further.
Policy in Canada
I think that here in Canada, we have seen, and continue to see, a lot of work in the federal space on Bill C-11 on consumer rights and consumer protections around personal data. I think we’re missing a real opportunity, around a holistic view on data rights in general. Data rights should be centered around the user, regardless of whether that data is being generated and in the custodianship of a private sector entity, or if that data is being generated by a public sector entity. That’s part of the work that we’re doing here in DIACC (Digital ID and Authentication Council of Canada). We’re working not only on the nuts and the bolts of how these systems and solutions function, but also on the pieces that are missing. For example, where does the policy attention need to go, to ensure that we have the data available, that we’re empowered with it, and that we can use it? At the same time though, we must understand what the risks and protections may be, and what the obligations are around that data, depending on how it’s used.
Mathieu: If you take Identity Data as a subset of just digital credentials or digital data, that can get into a very touchy area for a lot of the different aspects during the conversation about legislation. I’ve been seeing a lot more of it recently with what’s been happening on social networks. It forces you to realize the effect that private companies could have on the way data is managed or used, or how things could be cancelled completely. Do you think at this point when you talk about policies, is it an area within the digital identity landscape that the public sector or government would need to come in, and maybe revamp some of the laws that were in place before this digital world took off so fast?
Joni: I think it’s a great question and I’ll also make clear that I’m speaking for myself today. At certain times, I may be speaking on behalf of DIACC. However, I’m not speaking for the Government of Canada or any of the provinces or individual members. That being said, my personal view is: “Yes, there needs to be leadership from a policy perspective regarding access to data.” I would say that from a policy perspective, it’s a gray area today in terms of what access you should have to the data, and how you should be able to use it. I think that we often get data displayed to us when we’re logging into a system, but we can’t necessarily get that data out and use it in a particular way.
There’s work to be done. As one of our objectives, we are helping to identify the policy enablers, as well as the policy barriers. It’s going to be quite the study, so we’re working on how to do that, how to do it in partnership, and how to do it efficiently, in a way that helps to reduce uncertainty. As an example, I’ll give you my own experiential use case. I immigrated to Canada, and I went through a very significant verification process with the federal government in order to immigrate. They verified a great deal of information. Due to the currently existing policy, there is no structure by which I could either give permission, or direct the Office of Immigration and Refugees Canada to provide that package of verified information to the province that I was moving to. So I had to repeat that process of enrollment and verification with my destination province.
Part of the challenge there is that there is existing policy that says that departments are not allowed to share information. The policy has some value, so it’s not to say that that’s a bad policy. But that policy creates a situation where there is no mechanism for the citizen (or resident) to be empowered to say “Hey, I’ve provided all this data. I understand the circumstances and the purpose of that, and now I direct you to share that data.” Or alternatively, “I ask you to share that data with another party for a purpose of my choosing.” So, there is prohibitive policy in place right now that won’t allow that. I think we want to keep the protections, but we need to focus on the empowerment side of it, and on singular information-sharing agreements. Whether that’s across public sector actors only, or information-sharing agreements across private sector actors as well, it’s just not scalable. It’s feasible for us to get to an ecosystem that puts people more in control and more empowered. Of course, we’re still going to have different types of governance from one network to another. We respect and understand that there will be different liability schemes, different governance, and different ecosystems.
Digital vs Digitized
Creating this pathway, so that I can effectively make digital utility of the information that’s in that driving credential, or in that permanent resident card — that’s the place we have to get to. An effective digital driver’s license is quite different from a digitized driver’s license, as it has extra layers to the information.
There’s a difference between something digital, and something that’s been digitized. Digitized refers to capturing something that exists and simply converting it into a digital format. For example, taking a picture of the identity card and putting it into a container of some sort, that would be considered digitized. But a true digital identity would be able to leverage the data that’s in that card, and the data would be verifiable. The driver’s license credential is a derived credential that is based on another type of foundational evidence. If we achieved a state of truly digital, the only information we might need to pass is a token that says I’m of the age of consent or not. Or, a token that says I live in British Columbia. If we truly arrive at digital, then we’re effectively working with particular attributes or claims that are known about us; whether those are self-issued claims that we make about ourselves, or whether they’re third-party authoritative claims from another source.
To sum up, “digitized” information has some utility; however, what we’re really after is “digital”. Truly digital information gets to the heart of the verified and verifiable data. The objective is to make it usable for individuals, as well as for people who are acting on behalf of businesses and for governments. As long as we have choice, control, and consent in that ecosystem, that’s a priority here.
Digital Identity in Canada
Mathieu: I think that gets you much closer to a user-centric scenario that is security-by-design, and privacy-by-design. All of these experiences that we’re striving for, come from having the ability to be selective about what you’re sharing or not sharing, and from the ability to be selective about your personas, as you mentioned earlier.
Moving on, I appreciate the overview here of Digital ID as a whole, but now, I’d like to look at Digital ID from a Canadian perspective. You would have great visibility into this, at both a federal and provincial level — it’s apparent that many of the government bodies here in Canada are investing significantly into their digital identity strategies. They’re working hard to fully revamp the architecture and accelerate the progress towards some of these goals that we’ve been talking about here.
How do you see digital identity in Canada, and how does it compare to what’s happening in other countries or regions like the European Union? I think there’s a lot of innovation and leadership happening in Canada. How do you compare the digital identity progression in Canada to what you’re seeing in the rest of the world?
Joni: Yeah, there is. That’s a great question, and I would say it’s also a particularly interesting question to me, as an immigrant from New Jersey to Canada. From that perspective, feeling the cultural differences of how particular regions might look at things, and also being someone who’s worked in the space in a global landscape — I would say there are times when we’re not always good at calling out the places where we are moving forward. There are times when we are also falling behind, so there’s not a singular perfect answer. If we get into levels of assurance, we’ll talk about the importance of having more defined scorecards to measure progress. Where we are, and how we’re doing — it very much depends on what kind of question we’re asking.
Back in 2015, DIACC (Digital ID and Authentication Council of Canada) put out a white paper titled “Building Canada’s Digital Future”. The white paper outlined that the opportunity for the public and private sectors to come together in Canada, and to put an economic-benefits-for-all approach at the forefront of the economy, is important for everyone. Regardless of whether you’re an individual or a business owner, or you’re a government entity, the economy matters to all of us. So let’s put the economy, and benefits-for-all first. Then, let’s put public and private together under that umbrella to collaborate, and to develop an approach forward. That kernel right there is world-leading, I would argue. Until I got to Canada and joined DIACC, I hadn’t seen any organization or region take that very specific approach. I think that’s unique. In many other countries around the world that I visited (New Zealand for example), they have very clearly stated that that was fascinating and inspiring to them. I’ve since seen many other regions around the world start to move towards using that kind of economic lens, and I think that’s fantastic.
European Union Progress
These entities are even going as far as the eIDAS (electronic IDentification, Authentication and trust Services) program. eIDAS is instantiated to enable benefits delivery, so we have trust point anchors across each of the European member states. That means we can ensure that people can get access to their insurance or their service delivery. From the government side, a single market for that eIDAS wouldn’t be able to build in that type of broad economic private sector lens.
At the end of last year, Angela Merkel of Germany gave a speech where she spoke about the importance of these systems; for a single digital market for economic growth that benefits everyone. The next version of eIDAS deeply considers the question of how we bring in both sides of this picture. In other words, bringing public capabilities and private capabilities into the same ecosystem. Using that framing, I’d say we were way ahead in looking at that as a collaborative effort. Recognizing that people are at the center and that they make transactions, whether they’re transacting with the government or whether they’re transacting with business. So we’re way ahead there.
Challenges in Canada
There’s also a tendency to look to our friends in Estonia. Which is great, there’s lots to learn there. We should always be looking at what’s happening around the world, but we have to also recognize that we’re a federated country. Our healthcare system is a great example. People say “Oh, Canadian public health care”. Well actually, it’s provincial public health care. There are 14 different entities providing health care services; not a singular one. Identity works in the same way, so we have to be able to pick and choose the things that work for us, and organize them in a way that works with our federated governance and our culture as well. We have our own cultural uniqueness in terms of what people are looking for, and what they aren’t. What we’ve seen on the digital identity front is that it will typically be done in a top-down, federal governmental approach. It’s handled in a very singular approach and solves a particular need. There are places where we are behind, even in that top-down, “How do I transact with government” approach. We’re not as far along as we’d like to be.
When it comes to that economic view, I think we’re quite ahead. Is it an easy path? No, it’s not an easy path. You’re bringing together players that have different cultures, and different priorities. Maybe the priorities are similar, but they’re organized in different ways and different working styles. So, it’s fascinating to be in DIACC where we have peers, partners, and competitors working together. We have healthy collaboration and healthy tension — whether that’s across public sector actors, private sector actors, or the collective as a whole. We’re quite ahead in the sense of the collaborative, the vision, and the view, and in the way that we’ve crafted our framework for that purpose and for some of the specific use cases. We’re behind on that journey and we need to get moving, but ultimately I do think that we’re in a good position because we’ve looked at this all the way through. However, if we don’t have the political priority from different levels of government (federal, provincial, and territorial), we are not going to be able to excel the way that we need to. If we don’t have a common data approach, and common data strategy where people’s data is concerned, we’re not going to be able to leverage all the acceleration that’s happened. It’s not a simple answer.
Digital Wallet Opportunities
Looking at identity in the context of banking or the financial sector, we have lots of collaboration happening there. We’re either on pace or ahead in terms of how the financial sector is collaborating, depending on where and how you’re comparing When we look at the matter from the public sector perspective, the provinces and the territories are all in different places. So I think there’s a real opportunity for them to come together and be clear about the kind of ecosystem that’s needed. For example, the number of credentials that will be available in each of the provinces could drive a market. If we knew the numbers on how many credentials we need in play going forward, it would help digital wallet designers and the direction that they’re taking. I think there’s a real opportunity there.
Also related to this question: you asked earlier about how the distributed ecosystem looks to someone who’s been doing this for at least 20 years. I think that we have to be careful. We have to recognize that there is a global landscape on the technologies. The governance and the policy are going to be very local in focus. When we try to form global governance and policy, we have to recognize all the complexities that come into play. When it comes to the technology, it’s not exactly the same space. So, I think that if Canada were to try to technically control the solution so tightly for digital wallets as an example, we might find ourselves in a place where we’re not going to be able to interact with ecosystems around the world. We have to be watching, and contributing, and consuming, and paying attention, and incorporating what’s happening on a global landscape.
I’ll give you an example: there’s not a unified standard for digital wallets yet. There’s barely even a collection of standards around digital wallets. That’s a space that needs to play out in the ecosystem before we can make any kind of statements or decisions about what the technology should look like. We can certainly have principles, and we can certainly have guidance that needs to play out further. From my perspective, I would say when we look at data models such as the Verifiable Credentials of the W3C (WorldWide Web Consortium), and particularly JSON LD; this is a place where we’re seeing global momentum towards this data model. It’s not the only data model, but we are seeing momentum there. So we’re suggesting that if we can ask questions such as “Hey, what’s happening with W3C on that data model?”, that’s important.
We need to pay attention to that. We need to have systems ready for that because that could be an initiative that’s building towards a global convergence and consensus. Where we’re not seeing that global consensus or convergence, we can’t run to try to tighten things down. We might end up in a place where we’ll have to reverse engineer. In that case, we’ll lose funds and we’ll lose time, so we have to stay very agile.
Moving Forward
Yeah, it is a complex landscape. Pieces are moving forward, and when we think about what we’re doing in Canada and in the Pan-Canadian Trust Framework as well, I like to think that it’s really additive. What do I mean by “additive”? I remember very clearly the development of the Security Assertion Markup Language, SAML. I also remember very clearly the emergence of OpenID and OpenID Connect, and I recall people claiming “Oh, SAML is dead, now SAML is over”. Well, SAML is not over, and it’s not going to be over any time soon. Neither is OpenID going to be over anytime soon. If you look at something like the FIDO (Fast IDentity Online) Alliance protocols, the UAF and the U2F, and the web tokens, the FIDO Alliance would say “Kill the password”.
I think that’s something we can all get behind. But I think rumors of the password’s death are very hasty, because I think we’re probably going to have passwords for quite some time still. I think we’re going to see the slow demise of passwords eventually, but they’re not going to go away overnight. When we think about technology and the way that we move forward, we also have to think about Canada being ahead or behind. We definitely have to think about the ecosystem as being additive, recognizing that many technologies will be in play. We have to have structures that can handle and verify when and how those technologies are used, and what governance is overlaid. We also need to be able to slice through on the things that are important to help us move forward. I believe whether you’re talking about self-sovereign identity, or you’re talking about classic federation, what’s important for all of those is access to verified and verifiable data.
We need to keep our focus there and recognize that interoperability in 2021 is not necessarily what interoperability looked like in 2010. It’s not: “Let’s all use the same spec, and all design the same way, and now we’re all interoperable”. Interoperability now needs to address different networks, different architectures, different technologies, and different governance.
Now, can we consume the same data, can we take that data and make it usable in our ecosystem? I think you have to take a scorecard look at it, versus a singular kind of position. It’s complex, and it’s a moving target.
Mathieu: There’s a lot to unpack out of that journey! Where to start?
I think we hear this all the time — Estonia gets thrown out there as a successful program, with the discussion being “Why don’t you implement this?”. As you mentioned, based on Canada, and the way Canada is structured — it’s just so different. We’re unique compared to anywhere else. For that matter, every place has its unique characteristics.
Joni: It’s quite interesting to see some top-down initiatives happening. We’re seeing them in Germany too, where they had meetings at the end of last year to emphasize the importance of the digital identity strategy. I think it’s awesome that these countries are realizing numbers that the DIACC put out as well. There’s not an insignificant percentage of a country’s GDP that could be gained in value from a proper digital identity strategy. That’s even more important in emerging economies. I recognize and appreciate that we need to set principles, but we can’t simply jump into anything. We’re going to shoot ourselves in the foot if we do that, and it isn’t just local. It’s a global concern and I think the one thing to remember, is that no one solution fits the whole thing, collaboration is needed.
Every different group of people brings different tools that are part of the same overall toolkit, but they all need to be able to work together to take us to the next stage. With the Pan-Canadian trust framework and the principles coming out of that, and the collaboration between the public and the private sector, this is really what you’re trying to achieve here in Canada. Everyone needs to be working together, and then you could agree to disagree on certain things. However, everyone needs to agree on certain sets of principles.
Interoperability and the Pan-Canadian Trust Framework
Mathieu: The last topic I wanted to address follows our discussion about ecosystem collaboration. You mentioned interoperability. How are you and the DIACC pushing to make interoperability a reality in 2021, or at least in the next few years?
Joni: That’s a great question and I believe we do have some degree of interoperability already. We see some networks that are sharing information today. I think we have building blocks in place, and pieces of the solution, and I think we have a ton of goodwill, and passionate people and passionate organizations. It’s about focusing and supercharging on what’s important; collaborating, and working together.
With the Pan-Canadian Trust Framework (PCTF), it’s been a very interesting and special journey. Different orders of government, as well as private sector players, are sitting together at the virtual table, and we’re having many public consultation periods. We received over 4,000 comments, from at least five countries around the world. We’re being very open and collaborative, but still creating a safe governance space for different partners to work together. It’s been quite a journey, and we are in the process right now of alpha testing the framework. We’re not alpha testing solutions, because what we want to do here is to validate and make sure the framework behaves the way we thought it was going to, and the way that we specified it. If that’s the case, it is going to provide value on the interoperability front.
Framework Principles
When we look at the principles of the way the framework is built, one of the things that was so challenging and exciting is that it’s not built for a singular model. It’s built in a way that must be applicable to classic federation models, or for authentication hubs, and for all those pre-existing systems. It’s also built to be able to bend and flex for hybrids across multiple ecosystems and networks, such as:
– Distributed identity ecosystems,
– Permission distributed identity ecosystems,
– Trusted networks, and
– Trusted operator networks.
This holds true, all the way to very distributed, very open, self-sovereign networks that may have fewer controls in terms of how participants engage in that ecosystem. It’s always easier if you start with a common picture. For example, “This is what a house looks like. We’re all going to design for this house”. It’s a lot easier if you start with a clear picture: it might be a house, it might be a tent, it might be a lean-to. You have to find your way through, and recognize how you can approach the design in a way that achieves à la carte functionality, as well as combined utility for all the pieces.
The way that we worked through that was with a very component-based approach. We could have a specific component for credentials, a particular component for authentication, a component for verifying a person or verifying an organization. We have a privacy component, but we also have privacy built-in to every single piece of the framework. One way to deal with a wicked problem is to componentize. That’s what we did, so we can fix one piece and not tussle with all of the others if there’s no reason to do so. That approach also enables organizations to come and pull off-the-shelf for the piece that’s most important to their requirements.
Current Status
Right now, we are alpha testing the framework with different kinds of actors, both public and private, and with assessors. Through this process, we’re going to learn what may need to change, and what may not need to change. We’re going to get real knowledge there. I will say that what we’re seeing already, is that DIACC and our priorities are really driven by members. Our members are experts in digital identity. While some organizations focus on every piece of the puzzle and the ecosystem, we are truly focused on that horizontal of “identity”. The approach cuts across all the different verticals, and so we are driven by those member experts and their experience-based priorities. One item that the members were calling for, is a digital wallet component for the PCTF. They’re actively working now on what that could look like. Since we’re using that component approach, we’re very likely to add other components as we move forward in this framework, as the ecosystem demands.
We have a timed review process for how those components may need to adjust over time. So, this is all exciting. We’re kicking the tires on version one. The group is already demanding functionalities around a digital wallet, and working out what those principles look like. The framework contains our defined processes for different features and capabilities. There are notions of levels of assurance, that are tied in or identified. The framework also works by reference, in terms of calling out specific technologies. For example, it may be calling out where you should use particular encryption, or what technologies would be acceptable in which instances.
Trust Networks
Our next stage in the roadmap is to launch the certification program for the PCTF, which is called “Voilà Verified”. The Voilà Verified program will launch at the end of 2021. Once that’s in place, then organizations will be able to pull pieces off of the shelf, and work through our process with recognized information security auditors in a laboratory. We need to recognize the information security auditors, to provide verification that the organization has been following the processes, the procedures, and the governance that have been defined. Then, we can review in a laboratory setting, from the perspective of how the code was actually implemented, and validate that it was implemented as specified. So, you need those two pieces of the puzzle.
We’re excited about that program, and the organizations who are alpha testing the PCTF right now are all DIACC members. What’s great about that, is the participants get real operational knowledge by going through the materials that we’ve prepared. They get strategic information and operational knowledge by going through that internally. They also get a view on where they might be, in terms of being able to achieve that trust mark or not. When we do launch the program, I would suspect that the organizations that have done alpha testing are probably going to be further down the line, or they’ll have a good idea in terms of their ability to earn a trust mark or not. So our roadmap requires launching that program at the end of 2021 and expanding it in 2022.
I would also predict that we’re likely to have what we call “profiles” or “schemes”. That is, we have the base Pan-Canadian Trust Framework, and if we have a particular network or a particular community, they may say “Well, okay, we have the base.” We’re not loosening the rigor on the base, but we might add on top of the base. A given player might say, “These are the pieces that are important to us, so for network x, then profile x or scheme x is the one that we’re using”. I think we’ll see different flavors of how a trust mark is applied, and the utility that particular trust mark provides.
Verification and Certification
The other thing that we’re contemplating with regard to interoperability, is having a pathway for what we’ll call “network interoperability” or network verification. What I mean by that, is: if you’re working in the ecosystem of a trusted operator or a trusted network operator, or even a classic federation operator, there’s a specific set of agreements. Those agreements might dictate “These are the things that we have to follow”, and so you may need a certification to get in that virtual door.
In the very open, self-sovereign identity ecosystem, there are no requirements to have specific certifications to be a part of a given network. So, that might be more of a market differentiator, in terms of wallets or organizations that display that trust mark. Yeah, we’re being very flexible and agile about the way the PCTF is applied, and the potential to apply it in these different models. Not all models are built the same, and we have to be able to work in that environment because that is the reality of what the ecosystem looks like. We don’t foresee a singular model anytime soon, so we have to plan for that vibrancy, and we have to plan for that diversity.
I think we do see some interoperability now. We’ll see more “verified interoperability”, that addresses both the technology and the code. We’ll also see interoperability in terms of the policies and the processes that are being applied. We’ll see that with the Voilà Verified program, beginning at the end of 2021, and then growing through 2022.
Related Links:
